Pulse

By GCN Staff

DARPA targets supply-chain threats in hardware, firmware

Amid growing concerns about malware threats in the IT supply chain, the Defense Advanced Research Projects Agency is looking for ways to test commercial products on a large scale to make sure they’re “clean.”

DARPA has launched the Vetting Commodity IT Software and Firmware (VET) program to find methods of ensuring that the commercial IT products the Defense Department buys, ranging from smart phones to routers, are free of backdoors, malicious code and other potential threats.

Supply-chain security has come to the fore recently, with a congressional intelligence panel warning that the United States “should view with suspicion” the growth of Chinese telecommunications companies in the U.S. market. A recent report by the Georgia Tech Information Security Center and Georgia Tech Research Institute identified supply chain threats as a serious, and hard to detect, threat.

Back doors, spyware and other malicious code could theoretically be designed into products or added by a manufacturer, vendor or integrator.

DARPA’s VET program wants to test products before they’re installed, which would seem to be a pretty big job.

“DOD relies on millions of devices to bring network access and functionality to its users,” Tim Fraser, DARPA program manager, said in a statement. “Rigorously vetting software and firmware in each and every one of them is beyond our present capabilities, and the perception that this problem is simply unapproachable is widespread. The most significant output of the VET program will be a set of techniques, tools and demonstrations that will forever change this perception.”

With VET, DARPA wants to develop a three-step process:

Defining malice: Given a sample device, how can DOD analysts produce a prioritized checklist of software and firmware components to examine and list broad classes of hidden malicious functionality to rule out?

Confirming the absence of malice: How can analysts demonstrate the absence of those broad classes of hidden malicious functionality?

Examining equipment at scale: How can the procedure scale to non-specialist technicians who must vet every individual new device used by DOD prior to deployment?

DARPA will host a proposer’s day Dec. 12 in Arlington, Va., to brief interested participants in the program.

Democrats will vote on an appropriations package to reopen all the federal agencies shuttered during the partial shutdown, but the lack of wall funding will likely means the measure won't get a vote in the Senate.